Vulnerabilities / Threats
7/27/2012
11:24 AM
50%
50%

Mass Router Infection Possible: Black Hat

Black Hat presenters detail how an HTML5-compliant browser could deliver malicious firmware, bring network-connected hardware under attackers' control.

Routers, switches, printers, firewalls, and other network-attached hardware can be automatically targeted via the Internet and brought under attackers' control, with no user interaction.

That was the takeaway from the "Blended Threats and JavaScript: A Plan For Permanent Network Compromise" session Thursday at the Black Hat conference in Las Vegas. Such an attack hinges on modern browsers' support for HTML5, which allows developers to create complex JavaScript applications that run in the browser.

How could an attacker "own" a router? First, the victim would have to be lured into visiting a malicious website, which would then push JavaScript with instructions to the browser to tell it about all locally connected devices. Second, after learning about the network and finding a device to target, the malicious website would need to launch a brute-force attack and divine login credentials for the device. Then, after gaining access to the device, the website could then send malicious firmware, instructing the browser to install it on the targeted device.

At that point, "you've essentially turned these SOHO [small office/home office] devices into a full-blown Linux attack framework, and, generally speaking, it will still look and act the same way," meaning users would be none the wiser, said presenter Joshua Brashars, a senior penetration tester at AppSec Consulting.

"We're replacing an operating system on a network device and taking complete control of it," said fellow presenter Phil Purviance, an information security specialist at AppSec Consulting.

[ What can the FBI teach you about corporate security? See Black Hat: 6 Lessons To Tighten Enterprise Security. ]

Another upside--for attackers--of this type of an attack is that it could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.

The researchers demonstrated the attack against a widely available type of Linksys router, noting that additional work would be needed to use the attack on a wide scale. According to Purviance, "this is something that can be done, if someone spent enough time and built a large enough toolkit."

One hurdle with the researchers' approach is that such a toolkit first needs to fingerprint--as in, identify--which types of devices were on a targeted network. The researchers said this type of functionality is offered via such free applications as JS-Recon--billed as an "HTML5-based JavaScript network reconnaissance tool," jslanscanner, which has a database of about 200 devices, or sscan. "A determined attacker could fine-tune utilities like jslanscanner and add hundreds of additional devices, and make them so much better," said Purviance.

When it comes to making this type of attack succeed, there several caveats, such as having to discover the access credentials for the device. Then again, while network-connected devices are typically password protected, many consumer devices ship with default usernames and passwords that don't get changed. "If you're able to find out what device they have, you're able to make a pretty good guess about what their password would be," said Purviance, noting that websites such as default-router-password database RouterPasswords.com can help.

In addition, the presenters said the attack would be more likely to succeed against SOHO (a.k.a. small or home office) devices, on which it's easier to update firmware, compared with an enterprise device. Some SOHO devices, for example, can even be instructed to fetch and install new firmware from a designated external website.

After identifying the router or other targeted device and brute-force guessing its account name and password, then pushing the correct type of malicious firmware to the device, installing the firmware would require a restart. Might a targeted user notice a router reboot? That's a possibility, but the researchers said that such behavior could be disguised via a social-engineering attack. One possibility would be to serve the attack via a fake file-sharing website, since users are often accustomed to having to wait for a minute or two before being allowed to download a file. After the router or other device restarted, there would be no indication that it was running malicious firmware.

The presenters said their findings built on previous research, including Black Hat talks in 2006 and 2007 delivered by Jeremiah Grossman and Robert Hansen, which demonstrated a cross-site request forgery attack in which websites could pass code to devices on the internal network. The AppSec researchers said they'd improved on that research by eliminating the need to trick users into revealing network-connected device account names and passwords. Instead, they said their attack could be fully automated, requiring no user interaction.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.